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DETAILED ACTION 

1. Claims 1-31 and 59-89 are pending. 

2. Election filed 06/09/2005 has been received and considered. 

Election/Restrictions 

3. Applicant's election of Group I (claims 1-31 and 59-89) in 
the reply filed on 06/09/2005 is acknowledged. Because 
applicant did not distinctly and specifically point out the 
supposed errors in the restriction requirement, the election has 
been treated as an election without traverse (MPEP § 818.03(a)). 

Claim Rejections - 35 USC § 101 

4. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, 
manufacture, or composition of matter, or any new and useful improvement 
thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

5. Claims 1-31 and 59-89 are rejected under 35 U.S.C. 101 
because the claimed invention is directed to non-statutory 
subject matter. 

The language of claims 1-31 and 59-89 raise a question as 
to whether the claim is directed merely to an abstract idea that 
is not tied to a technological art, environment or machine which 
would result in a practical application producing a concrete, 
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useful, and tangible result to form the basis of statutory 
subject matter under 35 U.S.C. 101. 

Claim Rejections - 35 USC §103 

6. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

7. Claims 1-3, 7-10, 16-19, 25-30, 59-61, 65-68, 74-77, 83-88 
are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Adler (US 20030149777) and further in view of Cline et al (US 
5313616) . 

As per claims 1 and 59, Adler discloses receiving a 
starting point of a computer attack with respect to said 
network; and generating an augmented attack tree representing at 
least one attack path possible from said starting point, 
wherein, said starting point is a root of said augmented attack 
tree, for a current node being evaluated as part of said 
generating, a resulting node and an edge connecting said current 
node to said resulting node are added to said augmented attack 



Application/Control Number: 10/734,083 Page 4 

Art Unit: 2137 

tree if said edge and said resulting node are not already 
included in said augmented attack tree with said edge connecting 
an ancestor of the current node to an instance of the resulting 
node (see paragraphs 21-23 and 55-56; and figures 2-3) . 

Adler fails to disclose the augmented treeing being pruned. 
However, Cline teaches pruning a tree (see column 13 lines 
31-43) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to prune Adler' s attack 
tree . 

Motivation to do so would have been to increase the 
efficiency of the routine (see Cline column 14 lines 18-29) . 

As per claims 2 and 60, the modified Adler and Cline system 
discloses the pruned augmented attack tree is a tree including n 
levels, said starting point being a root of said tree at level 
0, n being at least 0 (see Adler paragraphs 55-56 and figures 2- 
3) . 

As per claims 3 and 61, the modified Adler -and Cline system 
discloses said pruned augmented attack tree represents 
information about at least one of: an attacker state including a 
host and an attacker access level on said host, and a network 
state (see Adler paragraphs 21-23 and 55-56; and figures 2-3) . 
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As per claims 7-8 and 65-66, the modified Adler and Cline 
system discloses said current node is at a level n, and said 
ancestors of said current node are located at levels in said 
pruned augmented attack tree at a level less than n and said 
pruned augmented attack tree is generated using a breadth first 
search technique in which nodes are added to said pruned 
augmented attack tree at an nth level prior to adding any node 
from level n+1 to said pruned augmented attack tree (see Adler 
figures 2-3) . 

As per claims 9 and 67, the modified Adler and Cline system 
discloses a plurality of computer attack paths for said network 
are represented using a plurality of pruned augmented attack 
trees, each of said pruned augmented attack trees representing 
computer attack paths originating from a unique starting point 
(see Adler figures 2-3) . 

As per claims 10 and 68, the modified Adler and Cline 
system discloses said starting point is one of: from within said 
network and external to said network (see Adler paragraphs 21-23 
and 55-56; and figures 2-3) . 

As per claims 16 and 74, the modified Adler and Cline 
system discloses said generating uses connectivity information, 
said connectivity information including a connection between two 
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endpoints representing elements of a configuration of said 
network (see Adler figures 2-3) . 

As per claims 17 and 75, the modified Adler and Cline 
system discloses said connectivity information includes physical 
connectivity between network interfaces and logical connectivity 
through network communications protocols (see Adler paragraphs 
21-23 and 55-56; and figures 2-3) . 

As per claims 18-19 and 76-77, the modified Adler and Cline 
system discloses said connection is associated with a path 
including one or more hops wherein each of said one or more hops 
is associated with at least one of: a filtering rule, a 
translation rule, and an interface of a host in said network 
(see Adler paragraphs 21-23 and 55-56; and figures 2-3) . 

As per claims 25, and 83, the modified Adler and Cline 
system discloses connectivity data representing connectivity 
between pairs of endpoints in said network is used by said 
generating, and the method further comprising: automatically 
generating said connectivity data in accordance with at least 
one translation rule, at least one filtering rule, and network 
configuration information (see Adler paragraphs 21-23 and 55-56; 
and figures 2-3) . - 

As per claims 26 and 84, the modified Adler and Cline 
system discloses said at least one translation rule includes at 
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least one of: an address translation rule and a port translation 
rule (see Adler paragraphs 21-23 and 55-56; and figures 2-3) . 

As per claims 27 and 85, the modified Adler and Cline 
system discloses selecting at least one address of a starting 
point of a computer attack using at least one rule; and 
determining a portion of said connectivity data using said at 
least one address (see Adler paragraphs 21-23 and 55-56; and 
figures 2-3) . 

As per claims 28-30 and 86-88, the modified Adler and Cline 
system discloses said at least one rule includes at least one of 
a filtering rule and a translation rule and said at least one 
address is used in said generating to represent an alternate 
connectivity of a host said address is one of an address in 
accordance with a communications protocol and an address 
associated with said network (see Adler paragraphs 21-23 and 55- 
56; and figures 2-3) 

8. Claims 4-6, 20-24, 31, 62-64, 78-82, 89 are rejected under 
35 U.S.C. 103(a) as being unpatentable over the modified Adler 
and Cline system as applied to claims 1, 3, 16, 59, 61, 74 
above, and further in view of Schneier (US 5850516) . 

As per claims 4 and 62, the modified Adler and Cline system 
fails to disclose an edge from a first node at level x to a 
second node at level x+1 represents an action while in a first 
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state including a first attacker state corresponding to said 
first node resulting in a second state including a second 
attacker state. 

However, Schneier teaches an edge from a first node at 
level x to a second node at level x+1 represents an action while 
in a first state including a first attacker state corresponding 
to said first node resulting "in a second state including a 
second attacker state (see column 6 lines 25-47) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Schneier' s tree 
structure in the attack tree generation system of Adler and 
Cline . 

Motivation to do so would have been to analyze the security 
of a system in a formal and flexible manner (see Schneier column 
3 lines 4-10) . 

As per claims 5-6 and 63-64, he modified Adler, Cline and 
Schneier system discloses said action exploits a vulnerability 
on a host in said network wherein said first attacker state 
represents a first host and a first attacker access level on 
said first host, and said second attacker state represents at 
least one of: a second host and a second attacker access level 
on said second host, and said first host and a second attacker 
access level on said first host wherein said second attacker 
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access level represents at least one of: an increase in attacker 
privilege, an increase in attacker access, and an increase in 
attacker knowledge (see Schneier column 6 lines 25-47). 

As per claims 20-22 and 78-80, he modified Adler, Cline and 
Schneier system discloses at least one of said endpoints is 
associated with a vulnerability on said at least one endpoint 
wherein said vulnerability has an associated action resulting in 
exploitation of said vulnerability wherein said associated 
action is related to an entity representing at least one of: an 
attacker access level, attacker knowledge level, a change to a 
network state (see Schneier column 6 lines 25-47) . 

As per claims 23-24 and 81-82, he modified Adler, Cline and 
Schneier system discloses said pruned augmented attack tree is 
used to determine an effect of preventing at least one action 
(see Schneier column 17 line 61 through column 18 line 3) and 
modifying said pruned augmented attack tree in accordance with 
eliminating at least one action in connection with a 
vulnerability associated with said host producing a modified 
augmented attack tree; and evaluating said modified augmented 
attack tree (see Cline column 13 lines 31-43 and Schneier column 
7 lines 39-52) . 

As per claims 31 and 89, he modified Adler, Cline and 
Schneier system discloses using vulnerability data to determine 
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at least one of: requirements for an action, an attacker state 
resulting from an action, and a network state resulting from an 
action, where said requirements include a locality describing 
whether a vulnerability can be exploited remotely over a network 
or locally on a host, said resulting attacker state includes an 
effect describing an access level or privilege or knowledge 
after an exploit of a vulnerability, and said resulting network 
state includes a denial of service describing a loss of service 
on a host after an exploit of a vulnerability (see Schneier 
column 6 lines 25-47). 

9. Claims 13 and 71 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over the modified Adler and Cline system as 
applied to claims 1 and 59 above, and further in view of Swiler 
et al (Computer-Attack Graph Generation Tool) . 

As per claims 13 and 71, the modified Adler and Cline 
system fails to disclose said pruned augmented attack tree has a 
property that a resulting node at a level "n+1" and an edge 
connecting a current node at level "n" to said resulting node 
are included in said pruned augmented attack tree if said edge 
and said resulting node are not already included in said pruned 
augmented attack 5 tree with said edge connecting an ancestor of 
the current node to an instance of the resulting node, said 
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ancestor being a node at a level "x" < "n" and said instance of 
the resulting node being at level "x+1". 

However, Swiler teaches such a property (see section 3.3). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art for the modified Adler and 
Cline systems graphs to have the property of Swiler' s graphs. 

Motivation to do so would have been to ensure that large 
graphs could be analyzed (see section 3.3). 

10. Claims 14 and 72 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over the modified Adler and Cline system as 
applied to claims 1 and 59 above, and further in view of Ammann 
et al (Scalable, Graph-Based Network Vulnerability Analysis) . 

As per claims 14 and 72, the modified Adler and Cline 
system fails to disclose determining which hosts in said network 
are equivalent forming a group; and representing said group with 
a single host. 

However, Ammann teaches such grouping (see page 223 right 
column) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to group similar hosts in 
the modified system of Adler and Cline. 

Motivation to do so would have been to simplify the attack 
graph (see Ammann page 223 right column) . 
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11. Claims 11-12 and 69-70 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over the modified Adler, Cline and 
Schneier system as applied to claims 6 and 64 above, and further 
in view of Swiler et al . 

As per claims 11-12 and 69-70, the modified Adler, Cline 
and Schneier system fails to disclose evaluating each action 
that exploits a vulnerability of a host in accordance with 
connectivity data wherein said connectivity data, said each 
action, and said vulnerability are stored in a database and 
determined prior to performing said generating. 

However, Swiler teaches evaluating each action that 
exploits a vulnerability of a host in accordance with 
connectivity data (see section 2.2) wherein said connectivity 
data, said each action, and said vulnerability are stored in a 
database and determined prior to performing said generating (see 
sections 3.1 and 3.2.1). 

At the time of the invention it would have been 
obvious to a person of ordinary skill in the art to use Swiler 7 s 
data collection and storing method in the modified system of 
Adler, Cline and Schneier. 

Motivation to do so would have been that commercial tools 
primarily use databases to store results (see section 3.2.1). 
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Conclusion 

12. The prior art made of record and not relied upon is 
considered pertinent to applicant's disclosure. Hughes (US 
20020184504) teaches pruning trees; Ramanujan et al (US 
20030110288) teaches a pruned attack tree; Tan (US 20040199576) 
teaches grouping nodes together. 

Any inquiry concerning- this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 
703-872-9306. 
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Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 



access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 
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